Home/ Glossary/ DNS Spoofing / Cache Poisoning

DNS Spoofing / Cache Poisoning (DNS Cache Poisoning)

Security Glossary - DNS

Definition: DNS cache poisoning (also called DNS spoofing) is an attack where a malicious actor injects forged DNS records into a resolver's cache, causing the resolver to return incorrect IP addresses for domain lookups. Once the cache is poisoned, all users of that resolver are directed to the attacker's server until the cached entry expires.

Why DNS Cache Poisoning Is Important

DNS cache poisoning can redirect thousands of users at once because it targets the resolver's shared cache. When a popular public resolver is poisoned, every user relying on that resolver gets the wrong IP address for the targeted domain. This makes it an efficient attack vector for phishing, malware distribution, and traffic interception.

The classic cache poisoning attack (described by Dan Kaminsky in 2008) exploits the fact that DNS queries use predictable transaction IDs and source ports. By flooding a resolver with forged responses, an attacker can race the legitimate response. Modern resolvers use random source ports and transaction IDs to make this harder, but the fundamental vulnerability remains without DNSSEC.

DNSSEC is the definitive defense against cache poisoning because it allows resolvers to cryptographically verify that DNS responses are authentic and untampered. Without DNSSEC, resolvers must rely on source port randomization and response rate limiting, which raise the bar but do not eliminate the attack.

How to Verify

A DNS health checker verifies whether your domain has DNSSEC enabled, which protects against cache poisoning. It also checks that your nameservers implement source port randomization. For resolvers you control, verify they validate DNSSEC signatures.

See how your site handles DNS Cache Poisoning

Check DNS Health

Common Questions About DNS Cache Poisoning

Can HTTPS protect against DNS cache poisoning?
Partially. If the attacker does not have a valid certificate for your domain, the browser will show a certificate warning. However, if the attacker obtains a certificate (from a compromised CA or through other means), HTTPS alone is not sufficient. DNSSEC is the proper defense.
How common is DNS cache poisoning?
Large-scale cache poisoning attacks are relatively rare due to modern resolver defenses (source port randomization, DNSSEC validation). However, targeted attacks against specific resolvers or networks still occur. DNSSEC deployment is the most effective long-term mitigation.

See Also

DNS Hijacking DNS Security Extensions Domain Name System Nameserver Man-in-the-Middle Attack
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.